Brief guide to the Data Protection Act 1998

Most businesses in the UK who hold information about employees or customers will need to process personal data. As the sanctions for breach of data protection rules are criminal and civil, and are also likely to attract adverse publicity, it is important to have a good understanding of the regime and obligations to avoid potential data protection issues from arising

Who is a data subject? individuals on contact lists or marketing lists employees contractors consultants suppliers and customers

What is personal data? names addresses telephone numbers job titles dates of birth personal expressions of opinions or intentions salary details medical history spending preferences

What is data processing? obtaining data recording data holding data using data erasing data Notification requirement Principles of data protection processing be processed fairly and lawfully be obtained only for specified lawful purposes and not further processed in any incompatible manner be adequate, relevant and not excessive in relation to the purpose for which it is processed be accurate and kept up to date not be kept for longer than necessary be processed in accordance with the rights of data subjects not be transferred outside the EEA unless certain conditions are met

Subject Access Requests whether their personal data is being used a description of how their personal data is being used details of who personal data is or has been disclosed to information relating to the source of the personal data copies of any document containing their personal data Consider anonymising data so that it is not considered to be classed as personal data.

Keep data records up to date and delete data that is no longer required to fulfil the purpose for which it was collected.Data should only be used for the reason that it was collected (for example, if calls between staff and customers are recorded for training purposes only, they should not be used to discipline a member of staff).

If a business wants a third party to manage data (such as carrying out payroll services) it should take legal advice. The business will still be responsible for protecting the data and will need to enter into a written contract with the third party.

Businesses should take legal advice if they are considering transferring any data outside the countries in the European Economic Area.
If the data is being used in marketing material, businesses should check that the recipient is aware that their data may be used for this reason and confirm they do not object.


A business will generally need the individual’s explicit consent (opt-in) for email, fax and text marketing. If the individual is an existing customer, the business may be able to market similar products to them by these means without prior explicit consent. Businesses should take legal advice in these circumstances.


Keep data secure at all times, for example, by shredding, placing in confidential waste bags, destroying or securely deleting electronic files. Confidential papers should not be put in the recycling bin.
Use passwords to keep data secure.
Take care when working away from the office or in public areas.
Lisa Greenstreet.

The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.